You should use parameters but sometimes you need to inject application side stuff.

You just need to ensure you’re whitelisting the input. You cannot let consumers pass in any arbitrary SQL to execute.

Not SQL but I use graph databases a lot and sometimes the application side needs to do context lookup to inject node names. Cannot use params and the application throws if the check fails.